EZ Server Monitor is a lightweight server monitoring tool that tracks system resources and services. As a monitoring solution that collects and displays system information, proper security configuration is essential to prevent unauthorized access and information disclosure. This guide covers security measures for production EZ Server Monitor deployments.
EZ Server Monitor architecture includes these security-sensitive components:
Key security concerns include web interface protection, check script security, notification credential protection, and system information disclosure.
Configure firewall rules for EZ Server Monitor:
# Web interface (Apache/Nginx)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Block external access
ufw deny from any to any port 80 proto tcp
ufw deny from any to any port 443 proto tcp
Configure web server binding:
# /etc/apache2/sites-available/ez-server-monitor.conf
<VirtualHost 10.0.1.100:443>
ServerName ezmon.company.com
DocumentRoot /var/www/html/ez-server-monitor
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ezmon.crt
SSLCertificateKeyFile /etc/ssl/private/ezmon.key
<Directory /var/www/html/ez-server-monitor>
Require ip 10.0.0.0/8 192.168.0.0/16
Options -Indexes
AllowOverride None
</Directory>
</VirtualHost>
Configure HTTP authentication:
# /etc/apache2/sites-available/ez-server-monitor.conf
<Directory /var/www/html/ez-server-monitor>
AuthType Basic
AuthName "EZ Server Monitor Access"
AuthUserFile /etc/ezmon/.htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Directory>
Manage users:
# Create admin user
htpasswd -c /etc/ezmon/.htpasswd admin
# Add additional users
htpasswd /etc/ezmon/.htpasswd username
If EZ Server Monitor has built-in auth:
// config.php
$auth_enabled = true;
$session_timeout = 3600;
$min_password_length = 12;
Configure user roles:
Role Permissions:
- admin: Full access including configuration
- operator: Can view metrics and acknowledge alerts
- viewer: Read-only access to dashboards
Secure API access (if available):
# Generate API token
# Use token for API access
curl -H "Authorization: Bearer ${API_TOKEN}" \
http://localhost/api/v1/status
Configure HTTPS:
# /etc/apache2/sites-available/ez-server-monitor-ssl.conf
<VirtualHost *:443>
ServerName ezmon.company.com
DocumentRoot /var/www/html/ez-server-monitor
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ezmon.crt
SSLCertificateKeyFile /etc/ssl/private/ezmon.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLHonorCipherOrder on
# Security headers
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
<Directory /var/www/html/ez-server-monitor>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Generate and manage certificates:
# Generate self-signed certificate
openssl req -new -x509 -days 365 -nodes \
-out /etc/ssl/certs/ezmon.crt \
-keyout /etc/ssl/private/ezmon.key \
-subj "/CN=ezmon.company.com/O=Company"
# Or use Let's Encrypt
certbot --apache -d ezmon.company.com
Secure PHP application:
# /etc/php/8.1/apache2/php.ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
Secure monitoring scripts:
# Set restrictive permissions on check scripts
chown root:ezmon /var/www/html/ez-server-monitor/checks/
chmod -R 750 /var/www/html/ez-server-monitor/checks/
# Review scripts for security issues
# Never store credentials in scripts
Secure notification credentials:
// config.php
// Bad - Never store plaintext credentials
// $smtp_password = 'SecretPass123';
// Good - Use environment variables
$smtp_password = getenv('SMTP_PASSWORD');
// Or use encrypted storage
$smtp_password = decrypt(getenv('ENCRYPTED_SMTP_PASSWORD'));
Restrict file access:
# Deny access to sensitive files
<FilesMatch "^\.">
Require all denied
</FilesMatch>
<FilesMatch "\.(php|inc|sql|log|conf)$">
Require all denied
</FilesMatch>
Secure SQLite database:
# Set restrictive permissions
chown www-data:www-data /var/www/html/ez-server-monitor/data/ezmon.db
chmod 640 /var/www/html/ez-server-monitor/data/ezmon.db
# Use encrypted filesystem
# Mount data directory on encrypted volume
Enable data encryption:
// config.php
// Enable encryption for stored data
$encryption_enabled = true;
$encryption_key = getenv('ENCRYPTION_KEY');
Secure sensitive configuration:
# Use environment variables
export SMTP_PASSWORD="secure_password"
export API_KEY="secure_api_key"
# Or use external secrets file
# Include in config.php:
// if (file_exists('/etc/ezmon/secrets.php')) {
// include '/etc/ezmon/secrets.php';
// }
Protect secrets file:
# Set restrictive permissions
chown root:www-data /etc/ezmon/secrets.php
chmod 640 /etc/ezmon/secrets.php
Secure log files:
# Set restrictive permissions
chown www-data:adm /var/log/ezmon
chmod 750 /var/log/ezmon
# Configure log rotation
cat > /etc/logrotate.d/ez-server-monitor << EOF
/var/log/ezmon/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}
EOF
Enable logging:
// config.php
$log_enabled = true;
$log_file = '/var/log/ezmon/ezmon.log';
$log_level = 'INFO';
// Audit logging
$audit_enabled = true;
$audit_file = '/var/log/ezmon/audit.log';
Configure web server access logging:
# /etc/apache2/sites-available/ez-server-monitor.conf
CustomLog /var/log/apache2/ezmon_access.log combined
ErrorLog /var/log/apache2/ezmon_error.log
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-ezmon-security.sh
# Check for failed authentication
FAILED_AUTH=$(grep -c "authentication failed" /var/log/ezmon/ezmon.log 2>/dev/null || echo 0)
if [ "$FAILED_AUTH" -gt 10 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
# Check for script execution errors
SCRIPT_ERRORS=$(grep -c "script error" /var/log/ezmon/ezmon.log 2>/dev/null || echo 0)
if [ "$SCRIPT_ERRORS" -gt 20 ]; then
echo "WARNING: High number of script errors"
exit 1
fi
Forward logs to SIEM:
# /etc/rsyslog.d/ezmon.conf
:programname, isequal, "ez-server-monitor" /var/log/ezmon/syslog.log
:programname, isequal, "ez-server-monitor" @siem.company.com:514